Three Steps To Improve Your Ransomware Resilience

This is a cold hard fact: Ransomware is on the rise.

What is ransomware?

It’s where hackers break into your network, encrypt your data so you can’t access it, and then charge you a large ransom fee to unlock it. It’s the most disruptive and costly kind of attack you can imagine. And very hard to undo.

Why is it a big deal?

Ransomware attacks are dramatically up thanks to the pandemic. All the urgent changes that businesses went through last year created a perfect storm with plenty of new opportunities for cyber criminals.

Is my business really at risk?

Thanks to automated tools used by hackers, all businesses are being targeted all the time. In fact, hackers prefer to target small businesses as they typically invest less time and money into preventive security measures compared to large companies. It’s estimated a business is infected with ransomware every 14 seconds.

How can my business get infected with ransomware?

42% of ransomware comes from phishing emails. This is where you get a legitimate-looking email asking you to take a specific action. You only need to click a bad link once to let attackers quietly into your system. And it doesn’t have to be you who clicks… it could be any member of your team.

Why is it so hard to undo?

A ransomware attack takes weeks for the hackers to set up. Once inside a network, they stay hidden and take their time to make lots of changes. Essentially, they’re making it virtually impossible for an IT security company such as ours to undo the damage and kick them out once the attack has started. If you haven’t thoroughly prepared for a ransomware attack before it happens, you are much more likely to have to pay the fee.

How much is the typical ransom?

The hackers aren’t stupid. They know trying to get $150,000 out of a small business simply won’t happen. But you might stump up $10,000 just to end the hell of a ransomware attack. They will change their ransom demand based on how much money they believe a business has.

Of course, the ransom isn’t the only cost associated with an attack. There are countless indirect costs. Such as being unable to access your data or systems for a week or longer. How horrendous would it be if no one could do any work on their computer for a week? How would your customers react to that?

What can I do now to protect my business?

This is the most important question to ask. It’s virtually impossible to stop a ransomware attack from happening. But you can do an enormous amount of preparation, so if an attack does happen, it’s an inconvenience, not a catastrophe.

Here are the three steps we recommend for maximizing your ransomware resilience.

Act as if there’s no software protecting you

Software is essential to keep your business safe from all the cyber security threats. But there’s a downside of using this software – it can make you and your team complacent.

Actually, humans are the first defense against cyber-attacks. For example, if your team doesn’t click on a bad link in a phishing email in the first place, then you’re not relying on software to detect an attack and try to stop it.

This means basic training for everyone in the business, and then keeping them up-to-date with the latest threats.

Invest in the best data backup and recovery you can

Automatic off-site data backup is a business basic. When you have a working backup in place, it can be tempting not to give it a second thought.

But it’s worth remembering that cyber criminals will take any means necessary to get you to pay their ransom. That means they’ll target your backup files too. Including cloud-based data.

It’s critical that you create and implement a comprehensive back-up and recovery approach to all of your business data. The National Institute of Standards and Technology sets out a cyber security framework which includes best practices such as:

• Constant backups: Separate from the computers and ideally in the cloud
• Immutable storage: This means once created, backups can’t be changed
• Firewalls: To restrict what data gets in and out

Create a plan for cyber-attacks

When a cyber-attack happens, every second is crucial. The earlier you act, the less damage is caused.

So, prepare a detailed plan of action and make sure everyone knows what’s in it, where to find it, and how to trigger it.

Test your plan regularly to make sure of its effectiveness and remove any risk of failure by keeping at least three copies of it in different places. One should be a printout kept at someone’s home… just in case you have zero access to data storage.

Human Error: The Reason Why Cybercriminals Love Email

Mark Funchion is a network technician at Tech Experts.

Defending your data network against viruses, malware, ransomware, and other threats is a never-ending battle. Some attacks can be very sophisticated, using extremely complex techniques to try and exploit even the most secure networks. However, the vast majority of threats to your network – over 80% – are delivered through a very basic method: email.

Email is a common tool that many of us use constantly at work. Oftentimes, we use it without giving much thought to what we’re doing or what we’re opening.

It’s normal for co-workers, clients, or new prospects to communicate and share files with us via email. The file can be a document, spreadsheet, PDF, etc., but the fact is that it’s common and repetitive to us.

Like anything we do frequently, we can develop muscle memory. Think about the program guide on your TV – you probably navigate the menus without thinking. After an update or a provider switch, those menus can change and you might click the wrong buttons out of habit. No harm there.

But consider making the same mistake when a document is sent to you. The message arrives, and you briefly glance at who it’s from. Maybe you recognize them, maybe you don’t. You see an attachment, and you open it out of habit. The file is infected, and in less than a second, the damage has begun.

Like it or not, the people who are attacking your systems are running a business. Like any business, they are concerned with the return on their investment. Developing high-end, sophisticated attacks takes time and skill, which is expensive to do.

However, minimal skill is required to send an email – and that process can be replicated to hundreds of thousands of users with a simple click of a button. And almost everyone working today might accidentally open an email with little to no thought.

For small businesses, having a firewall, an email filter, and anti-virus software is a must. We can help install and maintain that infrastructure. Unfortunately, the methods that attackers use to slip under your defenses are always changing.

It is important that you and your staff – the end users who do the clicking – still do your part and remain vigilant. Attackers send such a high percentage of attacks through email because of that human element. It works.

It’s essential that you fight your muscle memory and treat email like physical mail. Look at what is being sent, who it is from, and if there is anything attached. If anything seems off, do not open it. Always err on the side of caution.

Also, if you do open something you shouldn’t, it’s better to notify your IT department or provider of a potential issue so they can look at what you were sent.

Often, I have observed someone get a suspicious message, open it, notice something is not right, then forward it to a co-worker for help. By sending the message on, there is a potential to increase the scope of damage done.

Those looking to do harm and steal information will always try the path of least resistance. All the security in the world can’t stop an intruder if you open the door for them.

The same caution you take at home when an unexpected knock is heard should be how you handle all email. Consider the source and content, and if you have doubts, don’t open the message. Delete it.

Malware will never be fully eradicated – cybercriminals will make sure of that – but you can do your part to make sure you do not infect your PC or business.

Think You’re Covered For Ransomware? Best To Double Check

On May 9, European insurance giant AXA announced it will no longer provide support for ransom payments made to hackers.

While AXA appears to be the first insurer to deny ransom payments, the move could signal an impending shift in ransomware insurance coverage.

The AXA announcement comes as ransomware attacks prove an increasingly lucrative business model.

For instance, victims paid an estimated $350 million in ransom payments in 2020, over 300 percent more than in 2019. In recent high-profile cases, Colonial Pipeline paid attackers $4.4 million, and CNA Financial Corporation paid a whopping $40 million.

Meanwhile, cyber criminals continue to attack organizations across critical sectors. While the FBI and other security experts warn against paying ransoms, companies face devastating losses and even interruptions to critical care.

Cybersecurity best practices, combined with following recommended steps when an attack does occur, may provide the best protection.

Ransomware insurance coverage

Cyber insurance has become a hot topic as organizations scramble to protect themselves against losses resulting from cyber-attacks. In addition to ransom negotiations and payments, typical policies also cover legal costs, as well as costs for forensic analysis, data restoration and communications related to the breach.

However, even before the AXA announcement, many cyber insurance companies had begun to ask more from the companies they insure.

For instance, some insurers require policy holders to complete certain basic security steps. Others have begun to charge a coinsurance or limit payment to a percentage of the loss incurred.

To pay or not to pay

This evolution in cyber insurance reflects more than a move by insurers to manage their own risk. The FBI and other government agencies, as well as many cybersecurity experts, warn against paying ransoms. Researchers at cybersecurity provider Kaspersky explain that paying a ransom provides no guarantee that organizations will recover their data intact.

More importantly, paying the ransom encourages attackers to carry out more attacks. And some experts suggest that carrying cyber insurance actually makes organizations more attractive targets. Clearly, companies cannot depend on insurers to continue to shoulder the bulk of the cyber risk.

Best practices to protect against ransomware attacks

While cyber insurance still provides significant benefits, organizations must focus on cybersecurity best practices to defend against ransomware. Some of those best practices include:

Regular backups – Conduct regular data backups, including system images. Keep multiple copies of the backups, including a copy not connected to the network. And make sure to test the backups.

Keep systems and software up to date – Apply security updates to software, firmware and operating systems when they become available. This includes antivirus and other security solutions.

Develop and review an incident response plan – Having a detailed plan in place before a security incident occurs greatly increases the chance of a successful outcome.

Conduct regular cybersecurity training – While organizations can, and should, implement technology solutions, employees remain a key line of defense against cyber-attacks. Make sure users know how to recognize phishing attempts, share files safely and secure home offices.

Address third party risks – Look into the security practices of the vendors with which you do business to ensure they do not put your company at further risk.

Carefully regulate access controls – Give users only the access they need to the services and data necessary to perform their jobs. This proves even more important in a remote work environment.

Lately, Ransomware Has Added Blackmail To Its Arsenal

Mark Funchion is a network technician at Tech Experts.

At this point, ransomware is practically a lifeform – it’s constantly growing and adapting.

Originally, if you were hit with ransomware, your data was encrypted and you could pay to (hopefully) get the data restored.

If you had an effective backup solution, you could restore your data without paying and adjust your security to prevent this from happening again.

Now, many of these attackers using ransomware have upped their game. They realize that more businesses are using backups, so the chances of getting paid are lessening. To combat that, the attackers added an additional feature to their attacks: blackmail / extortion.

Not only do they encrypt your data, but they take it as well. Now, the payment is to decrypt the data AND keep it from being posted online for all to see.

If you are a business with sensitive files, this can be a real issue. Having a backup is not enough in this case; even if you don’t pay the ransom and you’re back up and running in a few hours, all your data could be shared. Worse than the hassle of recreating all your files, the lasting effects from customer data, financials, and personal information being leaked could be devastating.

This is why it’s crucial to partner with an IT provider who understands network security.

An effective and tested backup solution is important, but there’s more that you need to have in order to be protected. Your network needs to be secured with a firewall, and all your devices need to be patched regularly to limit your exposure when exploits are discovered.

Are you using 2FA? Do you know what 2FA is? Are your passwords changed regularly and are they complex? Do all users in your office use the same password? Do they share accounts?

We know it seems more efficient to have easy passwords and shared log-ins, but it’s a huge security risk.

Businesses often find it easier to give users full administrative access to their local machine and network shares too. However, in that scenario, one compromised password that has full access to everything means the attackers do not need to look any further and can “walk” right in.

Another item that too many people turn off or find annoying is User Account Control. Yes, it can be frustrating to verify your user identity when you want to make changes.

That is, until a malicious program is launched without your knowledge and the User Account Control prompt stops your network and data from being attacked. What’s worse – a few seconds’ worth of verification or a costly business disaster?

These cyberthreats will always continue to grow and evolve. They have been since we started using the Internet. If you are not in the business of technology, it is very difficult for you to adapt efficiently enough to stay secure.

That is why the right technology partner who does adapt and evolve is very important to the success of your business.

Over $1 Trillion Lost To Cyber-crime Every Year

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

$1 trillion! That’s a lot of money. And it’s a figure that’s increased by more than 50% since 2018.

In 2019, two-thirds of all organizations reported some type of incident relating to cyber-crime.

You could make a sure bet this figure rose significantly last year, thanks to criminals taking advantage of the pandemic.

It’s easy to look at big figures like these and not relate them back to your own business. But here’s the thing. The average cost of a data breach to a business is estimated to be around $500,000.

[Read more…]

Four Signs You’re Under Attack From Ransomware

You’ve probably heard a lot about ransomware recently. This is the computer attack where a hacker locks you out of your systems and data. And you must pay a ransom, typically in Bitcoin, to get access again.

While it’s not a new crime, it’s one of the fastest growing crimes online because it’s so lucrative to criminals. Thanks to COVID and work-from-home, more and more businesses are unintentionally opening themselves up to the threat.

In fact, it’s estimated there are more than a hundred calls to insurers every day relating to problems caused by ransomware. Unless you take necessary precautions, your business could fall victim.

But how do you know you’re not already under attack? Because here’s something most people don’t realize about ransomware. If a hacker gets access to your systems today, they won’t launch the attack right away. It can take around 60 to 100 days – if not longer – from the time you’re breached, to the delivery of ransomware.

You might be wondering why these cybercriminals spend such a long time launching their attack. They spend weeks or more just skulking around, investigating your network for weaknesses, and waiting for just the right time to maximize their profit.

So how do you know if you’re under attack? And what do you do if you are? Here are four of the best ways for you to check that your network is safe and secure.

Check for open RDP links
What’s an RDP link and how do you open or close it? We don’t want to get too techy here, so put simply, an RDP (or Remote Desktop Protocol) is Microsoft technology that allows a local computer to connect to and control a remote PC over a network or the Internet.

You’re probably utilizing this kind of thing if you’ve had any of your people working from home this year, as it makes remote access a lot easier. But RDP links left open to the Internet are a very common route for cybercriminals to enter your network.

Look for unexpected software
One of the methods ransomware gangs use to take control of your system is certain software tools. It’s important that you use a network scanner to check exactly what’s running and who’s running it.

Often, cybercriminals will take control of just one PC first, perhaps using a phishing email to persuade someone to click on a bad link without realizing it. Once they have control of one PC, they can then target the entire network.

Criminals also utilize tools to steal your passwords and log-in credentials. If you spot anything unfamiliar anywhere in your system, contact your IT support partner, who can investigate further.

Monitor your administrators
Your network administrators typically have the authority over which applications are downloaded to your network. So what’s the best way for hackers to download the applications they need? They create a new administrator account for themselves.

Then they can download whichever tools they need to compromise your network.

Check for disabled tools and software
Once the cybercriminals have administrator rights, they can locate and disable your security software. You can tell that an attack is close to being launched if something called Active Directory and your domain controllers are disabled.

Next, any backup data the criminals have found will be corrupted. And any systems that automatically deploy software will also be disabled to stop your attempts to update your computers after an attack.

It’s worth remembering that this will all be done slowly. Your hackers will take their time because that makes it much harder to detect them.

Once an attack has been launched and your data held to ransom, most of the time there’s little you can do other than attempt to restore backups. Or pay the ransom.

The hackers have normally been so thorough with their preparation that even the best IT security specialists have few options open to them.

So, once you’ve detected that something might be wrong, what can you do to stop an attack from being launched?

You can force a password change across your core systems, which many times will also throw your attackers out.

Monitor your administrator accounts. This may sound like a simple step, but you’d be surprised at how often it’s neglected.

Keep all of your software and security patched and updated. It’s very tempting to click ‘later’ on updates. But saving a little time now is not worth the huge amount of time and money that you’ll lose should you become the victim of a ransomware attack.

Implement multi-factor authentication across all of your applications, if you haven’t already. This adds another level of security for your network and helps to prevent unauthorized access.

Is There A Hidden Intruder Lurking In Your Business?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

If you’re like us, you believe you have the best, most trustworthy people working for you.

But have you ever considered the possibility you may have someone unknown hidden within your business, trying to cause a lot of damage and make a lot of money at the same time?

This might sound a little far-fetched. Perhaps something that’s more likely to happen in a film than in your business.

But actually, you’d be surprised. Cyber criminals are targeting businesses exactly like yours all the time.

Because often, small and medium sized businesses don’t spend big bucks on their cyber security. Hackers know this. And will put a lot of effort in to try to exploit that. [Read more…]

Targeted Attacks On Small Businesses Are On The Rise

Mark Funchion is a network technician at Tech Experts.

Many of us have heard of ransomware. This is an attack where someone gains access to a system and encrypts all of the data until a ransom is paid. Once they get their money, they either unencrypt the data… or not. There is no guarantee that paying the ransom will actually work.

Most attacks in the past, both viruses and ransomware, were the “spray and pray” variety. Basically, the attackers would send out thousands (or hundreds of thousands) of emails and hope that a small percentage of them were successful. This procedure worked, but the success rate was low and the attackers had to have a large volume to make it successful.

The more profitable attacks that are on the rise are targeted attacks. These attacks rely on quality rather than quantity. Research goes into the attacks that then target a single or very few companies. These attackers will even go as far to check a company or institution’s financial information to see how much of a ransom they can expect to get.

In addition to demanding a ransom for the data to be decrypted, there is often a threat that the data will be released if the ransom is not paid. The threat of data being released can lead to the ransom being paid even if the target has a way to recover from the attack.

While many home users would hate to have their data released, it would not be completely devastating in most cases. If you are a financial, medical, or education institution, it could end your business or severely harm it. These institutions all contain sensitive information of their employees and clients.

For this reason, a recent spike has been seen in the UK involving their schools. Attackers are seeing schools as an easier target in today’s environment with the increase in remote learning. Banks and hospitals have been targeted numerous times before, and their main goal is to be as secure as possible, spending large amounts of money on it.

Schools and universities, on the other hand, are concerned with security, but they’re in a position today with COVID where they need to have fairly open access.

As colleges are pivoting to a distance learning model on a scale never envisioned, they have to allow more and more access in. This means more and more devices the schools have no direct control over, creating potential entry points into the network.

Although most of you reading this are not educational institutions, there is no industry or business (regardless of size) that is safe from a potential attack. Having a good network security system in place with effective backups is critical.

Don’t rely only on a day or a few days’ worth of backups either; some attacks will infect a system, then remain dormant for a while, hoping to outlive the backups you have available.

Having a technology partner who understands the dangers and how to recover is essential. You cannot just plug in a firewall and use an antivirus software and consider yourself protected.

Your business should have an incident response plan that includes backups and restore procedures, as well as testing. You also need to make sure you have a procedure to keep all of your systems up-to-date with the most current patches. Making sure any remote sessions are secure and using 2FA whenever possible is another area often overlooked too.

The list of vulnerabilities is endless, but we are here to assist. Let us provide you the security and comfort that your business is protecting not only your data, but your users from a potential breach.

Why IT Professional Are Terrified Of Ransomware

If you want to scare someone who works in IT, start talking to them about ransomware.

There are few things as scary for IT professionals as the prospect of their systems locking up with hackers demanding money to return things back to normal.

When discussing it, you may notice them breaking into a sweat and starting fidgeting as they contemplate one of the most terrifying cybersecurity threats computers face.

How does ransomware spread?
There are several ways that ransomware can get into computers.

Email is one of the most common ways in. Hackers will send bad files that can trigger a ransomware infection when opened and quickly spread across your network.

Another favorite way to spread ransomware is to send bad URL links that download ransomware when they’re clicked. This ‘drive-by downloading’ can happen without anybody noticing that anything has happened until it’s too late.

These bad files and links are not always easy to spot. Cybercriminals are getting increasingly sophisticated in the ways they try to persuade people to do what they want them to do.

A growing trend is for cybercriminals to pose as trusted people, like a client, a colleague, or a friend. And ask you to do something urgently before you have the time to think things through.

This isn’t a modern crime. Ransomware’s been around for years
Ransomware dates to the late 1980s when payment was often sent by check through the mail!

Now, modern hackers normally demand payment in cryptocurrencies that make them much more difficult to track.

Here is some information on two of the more infamous ransomware attacks.

WannaCry
The WannaCry ransomware attack took over the news when it spread widely in 2017.

More than 200,000 computers in over 100 countries were left useless. The ransomware exposed weaknesses in critical IT systems, like those in hospitals and factories.

One of the worst-hit victims was the National Health Service (NHS) in the UK. Operating theatre equipment, MRI scanners, and other computers essential for hospitals were left useless and patients suffered.

NotPetya
NotPetya is less well-known than WannaCry but the financial costs are estimated to have been far higher.

Mainly spread among businesses due to the early infection of a major financial software vendor, the cost of this ransomware to small businesses and governments is estimated to have been around $10 billion.

This attack impacted computers around the world. But around 80% of the cases are estimated to have been in Ukraine.

Ransomware Attacks On Healthcare Providers Rose 350% In Q4 2019

Ransomware assaults against healthcare providers expanded an astounding 350 percent during the last quarter of 2019 with the quick pace of assaults previously proceeding all through 2020.

Ransomware attacks dominated healthcare headlines during the later part of 2019 with attacks on IT vendors disrupting services on hundreds of dental and nursing facilities, while a number of hospitals, health systems, and other covered entities reported business disruptions from these targeted attacks.

Also, in December, Blackberry Cylance specialists revealed that another ransomware variation known as Zeppelin was spotted focusing on the human services division and tech associations through the supply chain.

IT research group Corvus broke down the ransomware attacks of the last few years to get a feeling of malware’s effect on the part and its assault surface and discovered there were in excess of 24 announced ransomware occurrences a year ago.

These findings mirror similar reports, which also noted that these numbers are likely lower than the actual number of attacks – as some ransomware victims do not report the incidents to the public.

In fact, Emsisoft research shows that more than 759 healthcare providers were hit with ransomware last year, reaching crisis levels.

Further, the trend has continued in 2020 with at least four healthcare covered entities reporting attacks in January alone. According to Corvus, the number is more than any other quarter in healthcare since Q3 2017. And if the rate continues, there will be at least 12 reported during Q1 2020.

The researchers also found that healthcare actually has a smaller attack surface, on average, than the web average. Those that have reduced their overall exposure, especially hospitals, have limited the risk of exposure.

But health services and medical groups are the most at risk in the sector, according to the data.

That’s not to say that healthcare is successfully securing its attack surface. For example, one of the most common exposure types is through the remote desktop protocol, which is associated with a 37 percent greater likelihood of a successful ransomware attack.

Healthcare is also struggling to secure its email security, overall. Eighty-six percent of healthcare covered entities don’t use scanning and filtering tools on their email platforms. Even hospitals, which typically leverage these services at a higher rate, are failing to deploy this tool at a successful rate (just 25 percent use the tech).

What’s more, health practitioners, such as dentists and physicians are 14 percent less likely on average to use the most basic form of email authentication, which are known to prevent suspicious emails from making it to the inbox.

It’s concerning, as Corvus showed that more than 91 percent of ransomware attacks are the result of phishing exploits.

“Hospitals use email scanning and filtering tools more than average, but the average is low,” researchers wrote. “These services are associated with a 33 percent reduction in the likelihood of a ransomware attack. All healthcare entities should strongly consider such services to help prevent phishing.”

Corvus also found that hospitals are six times more likely to internally host their own servers, instead of leaning on a third-party vendor. As a result, those entities have “the responsibility for maintaining some aspects of security in their court: keeping up with the everchanging threats rather than handing it off.”

“As commodity ransomware has become more readily available and examples of successful attacks on smaller organizations, like local governments, gain attention, attackers may well turn their attention to organizations like individual health practitioners or nursing/long-term care facilities,” researchers wrote.

“We can see that the security measures at these kinds of organizations are average at best, and in some areas worse,” they continued. “Healthcare organizations of all sizes are at risk… They should be taking advantage of opportunities to improve email security.”

As the number of successful ransomware attacks increased, several industry stakeholders released guidelines to help organizations shore up their defenses, including the Department of Homeland Security, Microsoft, NIST, and the Office for Civil Rights. Healthcare organizations, especially those with limited resources, should turned to these insights to bolster their defenses.

Lastly, the FBI has continually reminded organizations that they should not pay the ransom for a host reasons, including that there is no guarantee the hackers will unlock the data and the threat actor may launch a subsequent attack.

Ransomware attacks have cost the healthcare sector at least $160 million since 2016, according to Comparitech.
This article was adapted from research published by Health IT Security.